Day 3 covered data security fundamentals — what AI data is and where it lives. Today you implement the controls that protect it. This lesson covers CY0-001 Objective 2.4 and addresses encryption, anonymization, classification, redaction, masking, and minimization — the practical security controls applied to data throughout the AI pipeline.
The exam tests these controls frequently because they represent the intersection of traditional data security practices with AI-specific requirements. You already know most of these concepts from your security experience — the challenge is understanding how they apply differently in AI contexts.
AI systems handle data in three states, and each state requires encryption.
Data in transit must be encrypted as it moves between components — from the user to the API gateway, from the gateway to the model, from the model to the vector database, and from the model back to the user. TLS 1.3 is the standard for data in transit. For AI systems, pay attention to internal traffic between microservices — many organizations encrypt external traffic but leave internal model-to-database communication unencrypted.
Data at rest must be encrypted in storage — training datasets, model weights, vector embeddings, inference logs, and cached responses. AES-256 is the standard for data at rest. The key management question is critical: who holds the encryption keys for your model weights? If you use a cloud AI provider, do they hold the keys, or do you use customer-managed keys?
Data in use is the most challenging encryption state. Data in use is actively being processed — loaded into GPU memory for training or inference. Technologies like confidential computing, trusted execution environments (TEEs), and homomorphic encryption address data-in-use protection, but they come with significant performance overhead.
For the exam, remember: training data, model weights, embeddings, inference inputs, and inference outputs are all data that requires encryption in all three states. The most commonly overlooked assets are model weights (which represent the organization's intellectual property) and vector embeddings (which can be inverted to reconstruct original content).
Anonymization removes personally identifiable information (PII) from datasets so individuals cannot be re-identified. For AI systems, anonymization is applied to training data to prevent the model from memorizing and later reproducing personal information.
Anonymization techniques include:
K-anonymity ensures that every individual in a dataset is indistinguishable from at least k-1 other individuals. If k=5, any combination of quasi-identifiers (age, zip code, gender) matches at least 5 people in the dataset.
Differential privacy adds mathematical noise to data or query results so that the presence or absence of any single individual cannot be determined. This is particularly useful for AI training because it provides provable privacy guarantees while maintaining dataset utility.
Synthetic data generation creates artificial data that has the same statistical properties as real data but does not correspond to any real individual. Synthetic data can be used for model training without any privacy risk from the data itself — though the synthetic data generator must be trained on real data, which creates its own privacy considerations.
The critical exam point: anonymization must happen before training, not after. Once a model has been trained on data containing PII, the model has potentially memorized that information. Anonymizing the training data retroactively does not remove PII from the model's learned parameters.
Data classification assigns sensitivity labels to data based on its content and handling requirements. In AI systems, classification serves two purposes: enforcing access controls (only authorized users can access data at a given classification level) and enforcing policy (certain data classifications cannot be used for model training).
Classification labels typically follow a tiered structure: Public (no restrictions), Internal (company-only), Confidential (restricted distribution), Restricted/Secret (highest sensitivity). AI-specific considerations include labeling training data, model outputs, and embeddings with classifications inherited from their source data.
Automated classification uses ML models to classify data automatically. This creates a recursive dependency — you are using AI to classify data that will be used by other AI systems. The classification model itself must be validated and protected.
The exam tests whether you understand that model outputs inherit the classification of their inputs. If a model processes Confidential data, its responses are also Confidential — regardless of how the model transforms the information.
Redaction permanently removes sensitive information from data. In AI contexts, redaction is applied to model outputs to prevent sensitive data from reaching unauthorized users. A model might generate a response containing a customer's Social Security number extracted from training data — output redaction catches and removes it before delivery.
Masking replaces sensitive data with fictional but structurally similar values. A credit card number might be masked as XXXX-XXXX-XXXX-1234, preserving the last four digits for verification while hiding the full number. For AI training, masking preserves data utility (the model can still learn patterns) while removing sensitive values.
The distinction matters for the exam. Redaction removes data permanently — the information is gone. Masking replaces data with placeholders — the structure is preserved but the sensitive value is hidden. Choose redaction when data utility is not needed. Choose masking when you need to preserve the data's format and statistical properties.
Output filtering is the AI-specific application of redaction. An output filter scans model responses for patterns matching PII (email addresses, phone numbers, SSNs, credit card numbers) and redacts them before the response reaches the user. This is a compensating control for cases where the model has been trained on data containing PII.
Data minimization is the principle of collecting and retaining only the data necessary for a specific purpose. For AI systems, this means:
Training data minimization. Collect only the data needed to achieve model performance requirements. Larger training sets are not always better — they increase storage costs, training time, and the surface area for privacy and security incidents. If a model can achieve acceptable performance on 100,000 examples, there is no security justification for training on 10 million.
Inference data minimization. Log only what is necessary for monitoring and auditing. Full prompt logging captures everything users send to the model, including sensitive information. Consider logging metadata (timestamp, user ID, token count, response latency) without logging full prompt content.
Retention minimization. Delete data when it is no longer needed. Training data used for a specific model version can be archived or deleted after training is complete. Inference logs should have defined retention periods. Cached model responses should expire.
The exam expects you to balance minimization against operational needs. Deleting all inference logs minimizes privacy risk but eliminates the ability to investigate security incidents. The answer is usually a middle ground — log enough for security monitoring, redact sensitive content, and delete logs after a defined retention period.
Data security controls can impact model performance. The exam tests your understanding of these trade-offs.
Anonymization reduces data utility. Replacing names with tokens, adding noise through differential privacy, or masking values reduces the information available for training. Models trained on heavily anonymized data may perform worse than models trained on raw data.
Encryption in use adds latency. Homomorphic encryption and confidential computing enable processing encrypted data, but with significant computational overhead. Real-time inference with encrypted data may be too slow for some applications.
Minimization limits training data. Collecting less data means fewer training examples, which can reduce model accuracy. The security team and the ML team must collaborate to find the minimum dataset size that meets both performance and security requirements.
Redaction can alter outputs. Aggressive output redaction might remove information that users legitimately need, degrading the model's usefulness. False positive redaction — incorrectly flagging non-sensitive data as PII — frustrates users and reduces trust in the system.
The exam will not ask you to sacrifice security for performance. But it will ask you to identify the least impactful security control for a given scenario — the control that provides the necessary protection with the smallest performance cost.